SlideShare a Scribd company logo

Lecture31.ppt

Download as PPT, PDF
A
amanyosama21

This document provides an overview of secure cloud computing. It discusses key topics such as cloud computing infrastructure security, cloud storage and data security, identity management in the cloud, security management in the cloud, privacy, audit and compliance, cloud service providers, and the impact of cloud computing. The document outlines these topics and provides details on definitions, challenges, standards, and best practices within each area as it relates to secure cloud computing.

Education
1 of 54
Dr. Bhavani Thuraisingham November, 2012 A Comprehensive Overview of Secure Cloud Computing
Outline  What is Cloud Computing  Cloud Computing Infrastructure Security  Cloud Storage and Data Security  Identity Management in the Cloud  Security Management in the Cloud  Privacy  Audit and Compliance  Cloud Service Providers  Security as a Service  Impact of Cloud Computing  Directions  Reference: Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O’Reilly Publishers
What is Cloud Computing?  Definition  SPI Framework  Traditional Software Model  Cloud Services Delivery Model  Deployment Model  Key Drivers  Impact  Governance  Barriers
Definition of Cloud Computing  Multitenancy - shared resources  Massive scalability  Elasticity  Pay as you go  Self provisioning of resources
SPI Framework  Software as a Service (SAAS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)  Several Technologies work together - Cloud access devices - Browsers and thin clients - High speed broad band access - Data centers and Server farms - Storage devices - Virtualization technologies - APIs
Traditional Software Model  Large upfront licensing costs  Annual support costs  Depends on number of users  Not based on usage  Organization is responsible for hardware  Security is a consideration  Customized applications
Cloud Services Delivery Model  SaaS - Rents software on a subscription basis - Service includes software, hardware and support - Users access the service through authorized device - Suitable for a company to outsource hosting of apps  PaaS - Vendor offers development environment to application developers - Provide develops toolkits, building blocks, payment hooks  IaaS - Processing power and storage service - Hypervisor is at this level
Deployment Models  Public Clouds - Hosted, operated and managed by third party vendor - Security and day to day management by the vendor  Private Clouds - Networks, infrastructures, data centers owned by the organization  Hybrid Clouds - Sensitive applications in a private cloud and non sensitive applications in a public cloud
Key Drivers  Small investment and low ongoing costs  Economies of scale  Open standards  Sustainability
Impact  How are the following communities Impacted by the Cloud?  Individual Customers  Individual Businesses  Start-ups  Small and Medium sized businesses  Large businesses
Governance  Five layers of governance for IT are Network, Storage Server, Services and Apps  For on premise hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks  For SaaS model all layers are controlled by the vendor  For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor  For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor
Barriers  Security  Privacy  Connectivity and Open access  Reliability  Interoperability  Independence from CSP (cloud service provider)  Economic value  IR governance  Changes in IT organization  Political issues
Cloud Computing Infrastructure Security  Infrastructure Security at the Network Level  Infrastructure Security at the Host Level  Infrastructure Security at the Application Level  Note: We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels
Security at the Network Level  Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider  Ensuring proper access control (Authentication, Authorization, Auditing) to resources in the public cloud  Ensuring availability of the Internet facing resources of the public cloud used by the organization  Replacing the established network zones and tiers with domains  How can you mitigate the risk factors?
Security at the Host Level  Host security at PaaS and SaaS Level - Both the PaaS and SaaS hide the host operating system from end users - Host security responsibilities in SaaS and PaaS are transferred to CSP  Host security at IaaS Level - Virtualization software security  Hypervisor security  Threats: Blue Pill attack on the hypervisor - Customer guest OS or virtual server security  Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts
Security at the Application Level  Usually it’s the responsibility of both the CSP and the customer  Application security at the SaaS level - SaaS Providers are responsible for providing application security  Application security at the PaaS level - Security of the PaaS Platform - Security of the customer applications deployed on a PaaS platform  Application security at the IaaS Level - Customer applications treated a black box - IaaS is not responsible for application level security
Cloud Storage and Data Security  Aspects of Data Security  Data Security Mitigation  Provider Data and its Security
Aspects of Data Security  Security for - Data in transit - Data at rest - Processing of data including multitenancy - Data Lineage - Data Provenance - Data remnance  Solutions include encryption, identity management, sanitation
Data Security Mitigation  Even through data in transit is encrypted, use of the data in the cloud will require decryption. - That is, cloud will have unencrypted data  Mitigation - Sensitive data cannot be stored in a public cloud - Homomorphic encryption may be a solution in the future
Provider Data and its Security  What data does the provider collect – e.g., metadata, and how can this data be secured?  Data security issues - Access control, Key management for encrypting  Confidentiality, Integrity and Availability are objectives of data security in the cloud
Identity and Access Management (IAM) in the Cloud  Trust boundaries and IAM  Why IAM?  IAM challenges  IAM definitions  IAM architecture and practice  Getting ready for the cloud  Relevant IAM standards and protocols for cloud services  IAM practices in the cloud  Cloud authorization management  Cloud Service provider IAM practice
Trust Boundaries and IAM  In a traditional environment, trust boundary is within the control of the organization  This includes the governance of the networks, servers, services, and applications  In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations  Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization  Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes
Why IAM  Improves operational efficiency and regulatory compliance management  IAM enables organizations to achieve access cont6rol and operational security  Cloud use cases that need IAM - Organization employees accessing SaaS se4rvidce using identity federation - IT admin access CSP management console to provision resources and access foe users using a corporate identity - Developers creating accounts for partner users in PaaS - End uses access storage service in a cloud - Applications residing in a cloud serviced provider access storage from another cloud service
IAM Challenges  Provisioning resources to users rapidly to accommodate their changing roles  Handle turnover in an organization  Disparate dictionaries, identities, access rights  Need standards and protocols that address the IAM challenges
IAM Definitions  Authentication - Verifying the identity of a user, system or service  Authorization - Privileges that a user or system or service has after being authenticated (e.g., access control)  Auditing - Exam what the user, system or service has carried out - Check for compliance
IAM Practice  IAMN process consists of the following: - User management (for managing identity life cycles), - Authentication management, - Authorization management, - Access management, - Data management and provisioning, - Monitoring and auditing - Provisioning, - Credential and attribute management, - Entitlement management, - Compliance management, - Identity federation management, - Centralization of authentication and authorization,
Getting Ready for the Cloud  Organization using a cloud must plan for user account provisioning - How can a user be authenticated in a cloud  Organization can use cloud based solutions from a vendor for IAM (e.g., Symplified) - Identity Management as a Service  Industry standards for federated identity management - SAML, WS-Federation, Liberty Alliance
Relevant IAM Standards, Protocols for Cloud  IAM Standards and Specifications for Organizations - SAML - SPML - XACML - OAuth (Open Authentication) – cloud service X accessing data in cloud service Y without disclosing credentials  IAM Standards and Specifications for Consumers - OpenID - Information Cards - Open Authenticate (OATH) - Open Authentication API (OpenAuth)
IAM Practices in the Cloud  Cloud Identity Administration - Life cycle management of user identities in the cloud  Federated Identity (SSO) - Enterprise an enterprise Identity provider within an Organization perimeter - Cloud-based Identity provider
Cloud Authorization Management  XACML is the preferred model for authorization  RBAC is being explored  Dual roles: Administrator and User  IAM support for compliance management
Cloud Service Provider and IAM Practice  What is the responsibility of the CSP and the responsibility of the organization/enterprise?  Enterprise IAM requirements - Provisioning of cloud service accounts to users - Provisioning of cloud services for service to service integration’ - SSO support for users based on federation standards - Support for international and regulatory policy requirements - User activity monitoring  How can enterprises expand their IAM requirements to SaaS, PaaS and IaaS
Security Management in the Cloud  Security Management Standards  Security Management in the Cloud  Availability Management  Access Control  Security Vulnerability, Patch and Configuration Management
Security Management Standards  Security Manage3ment has to be carried out in the cloud  Standards include ITIL (Information Technology Infrastructure Library) and ISO 27001/27002  What are the policies, procedures, processes and work instruction for managing security
Security Management in the Cloud  Availability Management (ITIL)  Access Control (ISIO, ITIL)  Vulnerability Management (ISO, IEC)  Patch Management (ITIL)  Configuration Management (ITIL)  Incident Response (ISO/IEC)  System use and Access Monitoring
Availability Management  SaaS availability - Customer responsibility: Customer must understand SLA and communication methods - SaaS health monitoring  PaaS availability - Customer responsibility - ‘PaaS health monitoring  IaaS availability - Customer responsibility - IaaS health monitoring
Access Control Management in the Cloud  Who should have access and why  How is a resources accessed  How is the access monitored  Impact of access control of SaaS, PaaS and IaaS
Security Vulnerability, Patch and Configuration (VPC) Management  How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment  What is the impact of VPS on SaaS, PaaS and IaaS
Privacy  Privacy and Data Life Cycle  Key Privacy Concerns in the Cloud  Who is Responsible for Privacy  Privacy Risk Management and Compliance ion the Cloud  Legal and Regulatory Requirements
Privacy and Data Life Cycle  Privacy: Accountability of organizations to data subjects as well as the transparency to an organization’s practice around personal information  Data Life Cycle - Generation, Use, Transfer, Transformation, Storage, Archival, Destruction - Need policies
Privacy Concerns in the Cloud  Access  Compliance  Storage  Retention  Destruction  Audit and Monitoring  Privacy Breaches
Who is Responsible for Privacy  Organization that collected the information in the first place – the owner organization  What is the role of the CSP?  Organizations can transfer liability but not accountability  Risk assessment and mitigation throughout the data lifecycle  Knowledge about legal obligations
Privacy Risk Management and Compliance  Collection Limitation Principle  Use Limitation Principle  Security Principle  Retention and Destruction Principle  Transfer Principle  Accountab9lity Principle
Legal and Regulatory Requirements  US Regulations - Federal Rules of Civil Procedure - US Patriot Act - Electronic Communications Privacy Act - FISMA - GLBA - HIPAA - HITECH Act  International regulations - EU Directive - APEC Privacy Framework
Audit and Compliance  Internal Policy Compliance  Governance, Risk and Compliance (GRC)  Control Objectives  Regulatory/External Compliance  Cloud Security Alliance  Auditing for Compliance
Audit and Compliance  Defines Strategy  Define Requirements (provide services to clients)  Defines Architecture (that is architect and structure services to meet requirements)  Define Policies  Defines process and procedures  Ongoing operations  Ongoing monitoring  Continuous improvement
Governance, Risk and Compliance  Risk assessment  Key controls (to address the risks and compliance requirements)  Monitoring  Reporting  Continuous improvement  Risk assessment – new IT projects and systems
Control Objectives  Security Policy  Organization of information security  Asset management  Human resources security  Physical and environmental security  Communications and operations management  Access control  Information systems acquisition, development and maintenance  Information Security incident management  Compliance  Key Management
Regulatory/External Compliance  Sarbanes-Oxley Act  PCI DSS  HIPAA  COBIT  What is the impact of Cloud computing on the above regulations?
Cloud Security Alliance (CSA)  Create and apply best practices to securing the cloud  Objectives include - Promote common level of understanding between consumers and providers - Promote independent research into best practices - Launch awareness and educational programs - Create consensus  White Paper produced by CSA consist of 15 domains - Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization, - - - -
Auditing for Compliance  Internal and External Audits  Audit Framework - SAS 70 - SysTrust - WebTrust - ISO 27001 certification  Relevance to Cloud
Cloud Service Providers  Amazon Web Services (IaaS)  Google (SaaS, PaaS)  Microsoft Azure (SaaS, IaaS)  Proofpoint (SaaS, IaaS)  RightScale (SaaS)  Slaeforce.com (SaaS, PaaS)  Sun Open Cloud Platform  Workday (SaaS)
Security as a Service  Email Filtering  Web Content Filtering  Vulnerability Management  Identity Management
Impact of Cloud Computing  Benefits - Low cost solution - Responsiveness flexibility - IT Expense marches Transaction volume - Business users are in direct control of technology decisions - Line between home computing applications and enterprise applications will blur  Threats - Vested interest of cloud providers - Less control over the use of technologies - Perceived risk of using cloud computing - Portability and Lock-in to Proprietary systems for CSPs - Lack of integration and componentization
Directions  Analysts predict that cloud computing will be a huge growth area  Cloud growth will be much higher than traditional IT growth  Will likely revolutionize IT  Need to examine how traditional solutions for IAM, Governance, Risk Assessment etc will work for Cloud  Technologies will be enhanced (IaaS, PaaS, SaaS)  Security will continue o be a major concern

Recommended

Lecture5
Lecture5Lecture5
Lecture5josephineusha
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAmazon Web Services
 

Recommended

Lecture5
Lecture5Lecture5
Lecture5josephineusha
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDModule 5-cloud computing-SECURITY IN THE CLOUD
Module 5-cloud computing-SECURITY IN THE CLOUDSweta Kumari Barnwal
 
talk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxtalk6securingcloudamarprusty-191030091632.pptx
talk6securingcloudamarprusty-191030091632.pptxTrongMinhHoang1
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it securityEast Midlands Cyber Security Forum
 
Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2Accelerated Saa S Exec Briefing V2
Accelerated Saa S Exec Briefing V2jeffirby
 
Cloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Customer Architecture for Securing Workloads on Cloud Services
Cloud Customer Architecture for Securing Workloads on Cloud ServicesCloud Standards Customer Council
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAmazon Web Services
 
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Cloud Security
Cloud SecurityCloud Security
Cloud SecurityAWS User Group Bengaluru
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 
Making Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark RivingtonMaking Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark RivingtonCA Nimsoft
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...Amazon Web Services
 
Building and Operating Clouds
Building and Operating CloudsBuilding and Operating Clouds
Building and Operating CloudsBMC Software
 
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOACA API Management
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice Corporation
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology GovernanceAlert Logic
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the CloudRochester Security Summit
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform SecuringLeo TechnoSoft
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspectivejmcdaniel650
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityOrange Business Services
 
Cloud Computing - Security Benefits and Risks
Cloud Computing - Security Benefits and RisksCloud Computing - Security Benefits and Risks
Cloud Computing - Security Benefits and RisksWilliam McBorrough
 
UNIT -V.docx
UNIT -V.docxUNIT -V.docx
UNIT -V.docxRevathiparamanathan
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 
Architecting SaaS
Architecting SaaSArchitecting SaaS
Architecting SaaSAxEdge Consulting
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 

More Related Content

Similar to Lecture31.ppt

Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...IBM Security
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 
Making Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark RivingtonMaking Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark RivingtonCA Nimsoft
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...Amazon Web Services
 
Building and Operating Clouds
Building and Operating CloudsBuilding and Operating Clouds
Building and Operating CloudsBMC Software
 
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOACA API Management
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice Corporation
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology GovernanceAlert Logic
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform SecuringLeo TechnoSoft
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspectivejmcdaniel650
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Cloud Computing - Security Benefits and Risks
Cloud Computing - Security Benefits and RisksCloud Computing - Security Benefits and Risks
Cloud Computing - Security Benefits and RisksWilliam McBorrough
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsDr. Sunil Kr. Pandey
 

Similar to Lecture31.ppt (20)

Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
Managing Identity from the Cloud: Transformation Advantages at VantisLife Ins...
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
Making Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark RivingtonMaking Sense Of Cloud Computing - by Mark Rivington
Making Sense Of Cloud Computing - by Mark Rivington
 
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
(ENT202) Four Critical Things to Consider When Moving Your Core Business Appl...
 
Building and Operating Clouds
Building and Operating CloudsBuilding and Operating Clouds
Building and Operating Clouds
 
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOALayer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
Layer 7 Technologies: Enabling Hybrid Enterprise/Cloud SOA
 
Softchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security WebinarSoftchoice & Microsoft: Public Cloud Security Webinar
Softchoice & Microsoft: Public Cloud Security Webinar
 
Modernizing Technology Governance
Modernizing Technology GovernanceModernizing Technology Governance
Modernizing Technology Governance
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
SaaS Platform Securing
SaaS Platform SecuringSaaS Platform Securing
SaaS Platform Securing
 
Cloud Ecosystems A Perspective
Cloud Ecosystems A PerspectiveCloud Ecosystems A Perspective
Cloud Ecosystems A Perspective
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Cloud Computing - Security Benefits and Risks
Cloud Computing - Security Benefits and RisksCloud Computing - Security Benefits and Risks
Cloud Computing - Security Benefits and Risks
 
UNIT -V.docx
UNIT -V.docxUNIT -V.docx
UNIT -V.docx
 
Cloud Security, Standards and Applications
Cloud Security, Standards and ApplicationsCloud Security, Standards and Applications
Cloud Security, Standards and Applications
 
Architecting SaaS
Architecting SaaSArchitecting SaaS
Architecting SaaS
 

Recently uploaded

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 

Recently uploaded (20)

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 

Lecture31.ppt

  • 1. Dr. Bhavani Thuraisingham November, 2012 A Comprehensive Overview of Secure Cloud Computing
  • 2. Outline  What is Cloud Computing  Cloud Computing Infrastructure Security  Cloud Storage and Data Security  Identity Management in the Cloud  Security Management in the Cloud  Privacy  Audit and Compliance  Cloud Service Providers  Security as a Service  Impact of Cloud Computing  Directions  Reference: Cloud Security and Privacy: Mather, Kumaraswamy and Latif, O’Reilly Publishers
  • 3. What is Cloud Computing?  Definition  SPI Framework  Traditional Software Model  Cloud Services Delivery Model  Deployment Model  Key Drivers  Impact  Governance  Barriers
  • 4. Definition of Cloud Computing  Multitenancy - shared resources  Massive scalability  Elasticity  Pay as you go  Self provisioning of resources
  • 5. SPI Framework  Software as a Service (SAAS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS)  Several Technologies work together - Cloud access devices - Browsers and thin clients - High speed broad band access - Data centers and Server farms - Storage devices - Virtualization technologies - APIs
  • 6. Traditional Software Model  Large upfront licensing costs  Annual support costs  Depends on number of users  Not based on usage  Organization is responsible for hardware  Security is a consideration  Customized applications
  • 7. Cloud Services Delivery Model  SaaS - Rents software on a subscription basis - Service includes software, hardware and support - Users access the service through authorized device - Suitable for a company to outsource hosting of apps  PaaS - Vendor offers development environment to application developers - Provide develops toolkits, building blocks, payment hooks  IaaS - Processing power and storage service - Hypervisor is at this level
  • 8. Deployment Models  Public Clouds - Hosted, operated and managed by third party vendor - Security and day to day management by the vendor  Private Clouds - Networks, infrastructures, data centers owned by the organization  Hybrid Clouds - Sensitive applications in a private cloud and non sensitive applications in a public cloud
  • 9. Key Drivers  Small investment and low ongoing costs  Economies of scale  Open standards  Sustainability
  • 10. Impact  How are the following communities Impacted by the Cloud?  Individual Customers  Individual Businesses  Start-ups  Small and Medium sized businesses  Large businesses
  • 11. Governance  Five layers of governance for IT are Network, Storage Server, Services and Apps  For on premise hosting, organization has control over Storage, Server, Services and Apps; Vendor and organization have share control over networks  For SaaS model all layers are controlled by the vendor  For the IaaS model, Apps are controlled by the organization, Services controlled by both while the network, storage and server controlled by the vendor  For PaaS, Apps and Services are controlled by both while servers, storage and network controlled by the vendor
  • 12. Barriers  Security  Privacy  Connectivity and Open access  Reliability  Interoperability  Independence from CSP (cloud service provider)  Economic value  IR governance  Changes in IT organization  Political issues
  • 13. Cloud Computing Infrastructure Security  Infrastructure Security at the Network Level  Infrastructure Security at the Host Level  Infrastructure Security at the Application Level  Note: We will examine IaaS, PaaS and SaaS Security issues at Network, Host and Application Levels
  • 14. Security at the Network Level  Ensuring data confidentiality and integrity of the organizations data in transit to and from the public cloud provider  Ensuring proper access control (Authentication, Authorization, Auditing) to resources in the public cloud  Ensuring availability of the Internet facing resources of the public cloud used by the organization  Replacing the established network zones and tiers with domains  How can you mitigate the risk factors?
  • 15. Security at the Host Level  Host security at PaaS and SaaS Level - Both the PaaS and SaaS hide the host operating system from end users - Host security responsibilities in SaaS and PaaS are transferred to CSP  Host security at IaaS Level - Virtualization software security  Hypervisor security  Threats: Blue Pill attack on the hypervisor - Customer guest OS or virtual server security  Attacks to the guest OS: e.g., stealing keys used to access and manage the hosts
  • 16. Security at the Application Level  Usually it’s the responsibility of both the CSP and the customer  Application security at the SaaS level - SaaS Providers are responsible for providing application security  Application security at the PaaS level - Security of the PaaS Platform - Security of the customer applications deployed on a PaaS platform  Application security at the IaaS Level - Customer applications treated a black box - IaaS is not responsible for application level security
  • 17. Cloud Storage and Data Security  Aspects of Data Security  Data Security Mitigation  Provider Data and its Security
  • 18. Aspects of Data Security  Security for - Data in transit - Data at rest - Processing of data including multitenancy - Data Lineage - Data Provenance - Data remnance  Solutions include encryption, identity management, sanitation
  • 19. Data Security Mitigation  Even through data in transit is encrypted, use of the data in the cloud will require decryption. - That is, cloud will have unencrypted data  Mitigation - Sensitive data cannot be stored in a public cloud - Homomorphic encryption may be a solution in the future
  • 20. Provider Data and its Security  What data does the provider collect – e.g., metadata, and how can this data be secured?  Data security issues - Access control, Key management for encrypting  Confidentiality, Integrity and Availability are objectives of data security in the cloud
  • 21. Identity and Access Management (IAM) in the Cloud  Trust boundaries and IAM  Why IAM?  IAM challenges  IAM definitions  IAM architecture and practice  Getting ready for the cloud  Relevant IAM standards and protocols for cloud services  IAM practices in the cloud  Cloud authorization management  Cloud Service provider IAM practice
  • 22. Trust Boundaries and IAM  In a traditional environment, trust boundary is within the control of the organization  This includes the governance of the networks, servers, services, and applications  In a cloud environment, the trust boundary is dynamic and moves within the control of the service provider as well ass organizations  Identity federation is an emerging industry best practice for dealing with dynamic and loosely coupled trust relationships in the collaboration model of an organization  Core of the architecture is the directory service which is the repository for the identity, credentials and user attributes
  • 23. Why IAM  Improves operational efficiency and regulatory compliance management  IAM enables organizations to achieve access cont6rol and operational security  Cloud use cases that need IAM - Organization employees accessing SaaS se4rvidce using identity federation - IT admin access CSP management console to provision resources and access foe users using a corporate identity - Developers creating accounts for partner users in PaaS - End uses access storage service in a cloud - Applications residing in a cloud serviced provider access storage from another cloud service
  • 24. IAM Challenges  Provisioning resources to users rapidly to accommodate their changing roles  Handle turnover in an organization  Disparate dictionaries, identities, access rights  Need standards and protocols that address the IAM challenges
  • 25. IAM Definitions  Authentication - Verifying the identity of a user, system or service  Authorization - Privileges that a user or system or service has after being authenticated (e.g., access control)  Auditing - Exam what the user, system or service has carried out - Check for compliance
  • 26. IAM Practice  IAMN process consists of the following: - User management (for managing identity life cycles), - Authentication management, - Authorization management, - Access management, - Data management and provisioning, - Monitoring and auditing - Provisioning, - Credential and attribute management, - Entitlement management, - Compliance management, - Identity federation management, - Centralization of authentication and authorization,
  • 27. Getting Ready for the Cloud  Organization using a cloud must plan for user account provisioning - How can a user be authenticated in a cloud  Organization can use cloud based solutions from a vendor for IAM (e.g., Symplified) - Identity Management as a Service  Industry standards for federated identity management - SAML, WS-Federation, Liberty Alliance
  • 28. Relevant IAM Standards, Protocols for Cloud  IAM Standards and Specifications for Organizations - SAML - SPML - XACML - OAuth (Open Authentication) – cloud service X accessing data in cloud service Y without disclosing credentials  IAM Standards and Specifications for Consumers - OpenID - Information Cards - Open Authenticate (OATH) - Open Authentication API (OpenAuth)
  • 29. IAM Practices in the Cloud  Cloud Identity Administration - Life cycle management of user identities in the cloud  Federated Identity (SSO) - Enterprise an enterprise Identity provider within an Organization perimeter - Cloud-based Identity provider
  • 30. Cloud Authorization Management  XACML is the preferred model for authorization  RBAC is being explored  Dual roles: Administrator and User  IAM support for compliance management
  • 31. Cloud Service Provider and IAM Practice  What is the responsibility of the CSP and the responsibility of the organization/enterprise?  Enterprise IAM requirements - Provisioning of cloud service accounts to users - Provisioning of cloud services for service to service integration’ - SSO support for users based on federation standards - Support for international and regulatory policy requirements - User activity monitoring  How can enterprises expand their IAM requirements to SaaS, PaaS and IaaS
  • 32. Security Management in the Cloud  Security Management Standards  Security Management in the Cloud  Availability Management  Access Control  Security Vulnerability, Patch and Configuration Management
  • 33. Security Management Standards  Security Manage3ment has to be carried out in the cloud  Standards include ITIL (Information Technology Infrastructure Library) and ISO 27001/27002  What are the policies, procedures, processes and work instruction for managing security
  • 34. Security Management in the Cloud  Availability Management (ITIL)  Access Control (ISIO, ITIL)  Vulnerability Management (ISO, IEC)  Patch Management (ITIL)  Configuration Management (ITIL)  Incident Response (ISO/IEC)  System use and Access Monitoring
  • 35. Availability Management  SaaS availability - Customer responsibility: Customer must understand SLA and communication methods - SaaS health monitoring  PaaS availability - Customer responsibility - ‘PaaS health monitoring  IaaS availability - Customer responsibility - IaaS health monitoring
  • 36. Access Control Management in the Cloud  Who should have access and why  How is a resources accessed  How is the access monitored  Impact of access control of SaaS, PaaS and IaaS
  • 37. Security Vulnerability, Patch and Configuration (VPC) Management  How can security vulnerability, patch and configuration management for an organization be extended to a cloud environment  What is the impact of VPS on SaaS, PaaS and IaaS
  • 38. Privacy  Privacy and Data Life Cycle  Key Privacy Concerns in the Cloud  Who is Responsible for Privacy  Privacy Risk Management and Compliance ion the Cloud  Legal and Regulatory Requirements
  • 39. Privacy and Data Life Cycle  Privacy: Accountability of organizations to data subjects as well as the transparency to an organization’s practice around personal information  Data Life Cycle - Generation, Use, Transfer, Transformation, Storage, Archival, Destruction - Need policies
  • 40. Privacy Concerns in the Cloud  Access  Compliance  Storage  Retention  Destruction  Audit and Monitoring  Privacy Breaches
  • 41. Who is Responsible for Privacy  Organization that collected the information in the first place – the owner organization  What is the role of the CSP?  Organizations can transfer liability but not accountability  Risk assessment and mitigation throughout the data lifecycle  Knowledge about legal obligations
  • 42. Privacy Risk Management and Compliance  Collection Limitation Principle  Use Limitation Principle  Security Principle  Retention and Destruction Principle  Transfer Principle  Accountab9lity Principle
  • 43. Legal and Regulatory Requirements  US Regulations - Federal Rules of Civil Procedure - US Patriot Act - Electronic Communications Privacy Act - FISMA - GLBA - HIPAA - HITECH Act  International regulations - EU Directive - APEC Privacy Framework
  • 44. Audit and Compliance  Internal Policy Compliance  Governance, Risk and Compliance (GRC)  Control Objectives  Regulatory/External Compliance  Cloud Security Alliance  Auditing for Compliance
  • 45. Audit and Compliance  Defines Strategy  Define Requirements (provide services to clients)  Defines Architecture (that is architect and structure services to meet requirements)  Define Policies  Defines process and procedures  Ongoing operations  Ongoing monitoring  Continuous improvement
  • 46. Governance, Risk and Compliance  Risk assessment  Key controls (to address the risks and compliance requirements)  Monitoring  Reporting  Continuous improvement  Risk assessment – new IT projects and systems
  • 47. Control Objectives  Security Policy  Organization of information security  Asset management  Human resources security  Physical and environmental security  Communications and operations management  Access control  Information systems acquisition, development and maintenance  Information Security incident management  Compliance  Key Management
  • 48. Regulatory/External Compliance  Sarbanes-Oxley Act  PCI DSS  HIPAA  COBIT  What is the impact of Cloud computing on the above regulations?
  • 49. Cloud Security Alliance (CSA)  Create and apply best practices to securing the cloud  Objectives include - Promote common level of understanding between consumers and providers - Promote independent research into best practices - Launch awareness and educational programs - Create consensus  White Paper produced by CSA consist of 15 domains - Architecture, Risk management, Legal, Lifecycle management, applications security, storage, virtualization, - - - -
  • 50. Auditing for Compliance  Internal and External Audits  Audit Framework - SAS 70 - SysTrust - WebTrust - ISO 27001 certification  Relevance to Cloud
  • 51. Cloud Service Providers  Amazon Web Services (IaaS)  Google (SaaS, PaaS)  Microsoft Azure (SaaS, IaaS)  Proofpoint (SaaS, IaaS)  RightScale (SaaS)  Slaeforce.com (SaaS, PaaS)  Sun Open Cloud Platform  Workday (SaaS)
  • 52. Security as a Service  Email Filtering  Web Content Filtering  Vulnerability Management  Identity Management
  • 53. Impact of Cloud Computing  Benefits - Low cost solution - Responsiveness flexibility - IT Expense marches Transaction volume - Business users are in direct control of technology decisions - Line between home computing applications and enterprise applications will blur  Threats - Vested interest of cloud providers - Less control over the use of technologies - Perceived risk of using cloud computing - Portability and Lock-in to Proprietary systems for CSPs - Lack of integration and componentization
  • 54. Directions  Analysts predict that cloud computing will be a huge growth area  Cloud growth will be much higher than traditional IT growth  Will likely revolutionize IT  Need to examine how traditional solutions for IAM, Governance, Risk Assessment etc will work for Cloud  Technologies will be enhanced (IaaS, PaaS, SaaS)  Security will continue o be a major concern